For those of us using Adobe Air for cross-platform rapid deployment, are few things more unprofessional than sending a test build to a client and have them faced with an ominous warning about an untrusted publisher. Let’s take care of that once and for all.

At some point of your development life, you’ll hit a point where you want to get an object signing certificate from a root certificate authority (CA) instead of self-signing. It’s relatively easy to do on any platform, but a quick web search shows lots of confused OS X users (especially the last steps), so I’ll write out how I did it, step-by-step, in the hopes of helping someone out there.

Step 1 – Register with a CA

The first thing you’ll need to do is select a CA. This is a personal decision, of course, but for those of us using SSL, S/MIME, and Object certificates on multiple platforms, using someone like Verisign, GlobalSign or Thawte will cost you a small fortune every year. Seriously, $500 per certificate, per year? For a digital signature? Really?

Personally, I use StartSSL. (Note: I get nothing from them, I’m just a satisfied customer.) The only costs are for verification — $60 for two years for personal verification, an extra $60 if you want your company name on it, and that’s it. Then you can sign as many Class 2 (or Class 3) certificates as you want.

So pick your preferred company, sign up, send in all of your documents (identification for class 2, articles of incorporation for class 3, etc.), and get approved. This may take a few days depending upon the company and method you choose.

As a side note, I recommend using Safari for every step from beginning to end if you’re on the Mac — there are a few pitfalls you’ll avoid by sticking with one browser during key creation.

Step 2 – Create a Certificate Request (CSR)

Fire up Keychain Access, and use the Certificate Assistant to request a certificate from a certificate authority. Fill in the email address and name associated with your account, and select “Saved to disk”.

Now, find the file and send your request to the CA. You might have to open it in a text editor and just copy and paste the contents depending upon your CA.

Next, you’ll probably have to wait for approval. After a while, you’ll be able to download your certificate. Double-click it, and it will add itself to Keychain Access. Click on it to make sure it’s valid.

Common Pitfall #1 – “This certificate was signed by an unknown authority”

By doing some quick searches, this is the first place people get stuck. Don’t worry — it’s simple. The certificate simply can’t be used unless you have installed both the CA’s root certificate and the intermediate certificate for the proper class.

Just go back to the CA, download these two certificates, and install them. Once all three are in Keychain Access, it will change to “This certificate is valid.”

Note that this is a very common pitfall for S/MIME certificates too, both on OS X and iOS. Just install the proper root & intermediate certs and you’ll be good to go.

Common Pitfall #2 – Not including the whole certificate chain

By the discussions I’ve seen on various forums, I’m going to take a wild guess that the reason you’re here is because you’ve done everything above, exported your key, and now you’re banging your head against your desk because no matter what you do, you keep getting the dreaded error: “Error creating AIR file: Unable to build a valid certificate chain for the signer.” That’s simply because you didn’t include the intermediate and root certs in your export.

Before exporting the certificate, verify that Keychain Access can see the entire certificate chain. Right-click your certificate, and pick “Evaluate”, and pick “Code Signing” on the next dialog. Take a look at the Evaluation Status. If it says “No root cert found”, it means that the root & intermediate certificates are not embedded in this key.

Final Step – Export the certificate with the full chain intact

The trick is to select all three certificates (command-click) before hitting export. Make sure you have your personal (or Class 3) certificate, the intermediate certificate (in this case, it’s specifically an Object int cert), and the root certificate selected. Now you can safely choose “Export Items” from the file menu, set a password, and export a fully valid PKCS#12 (.p12) certificate.

(If you happen to be a Windows user who wandered in, note that you simply have to hit the checkbox to export the whole certificate chain.)